CVE-2025-55132
BaseFortify
Publication date: 2026-01-20
Last updated on: 2026-02-03
Assigner: HackerOne
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nodejs | node.js | From 20.0.0 (inc) to 20.20.0 (exc) |
| nodejs | node.js | From 22.0.0 (inc) to 22.22.0 (exc) |
| nodejs | node.js | From 24.0.0 (inc) to 24.13.0 (exc) |
| nodejs | node.js | From 25.0.0 (inc) to 25.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-276 | During installation, installed file permissions are set to allow anyone to modify those files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a flaw in Node.js's permission model where the function futimes() allows changing a file's access and modification timestamps even if the process only has read permissions. Unlike utimes(), futimes() does not enforce write-permission checks, enabling modification of file metadata in read-only directories. This can be exploited to alter timestamps and obscure activity.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing unauthorized modification of file timestamps, which can be used to obscure or falsify activity logs. This reduces the reliability of logs and can hinder forensic analysis or auditing.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows modification of file access and modification timestamps without proper write permissions, which can obscure activity and reduce the reliability of logs. Since accurate logging is critical for compliance with standards like GDPR and HIPAA, which require reliable audit trails and activity records, this flaw could negatively impact compliance by undermining the integrity of log data.